Solved PowerShell file


sneekez

sneekez

Well-known member
VIP
Local time
11:40 PM
Posts
25
Location
Reno, NV
OS
Windows 11
Good Morning all...can someone shed some light on a .ps1 file. I keep getting, daily, a .ps1 sent to my users/username and the files. For example one is sYAYs.ps1 another t9iOr.ps1 I'm assuming it's a trojan as Malwarebytes states but what is generating it? Thank you
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
How is it getting delivered? Names alone can't tell us much, but random names are often associated with either malware, configuration systems, update systems etc.
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
I'm not sure how it's being delivered. That was/is my main question. Can't seem to figure out how it's getting there?
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
Well where is the file showing up? Email, on the computer somewhere, if so where?
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
These are the reports I'm able to get off of MB. When I look at the bottom post from MB it shows 'Software Info'. File shows up in users/username/file

1760630891174.webp1760631016770.webp
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
Does Malwarebytes provide a hash? (MD5, SHA1, SHA2, SHA256 etc)
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
Ok...the software info is MB, sorry.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
No MB does not to the best of my knowledge. Also I have looked at task scheduler and see nothing that points to this.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
Without a hash it's still going to be hard to say where it came from.

My initial thoughts are it's highly probable it is in fact malware as it's writing to the user directory (guaranteed place to allow saving files). If you can and feel comfortable if you can locate the file and zip it and DM it to me I'd be happy to analyze it.

You may need to run procmon and have it run at start up. Reboot and then launch procmon again. This should generate a large capture file. Loading that file you should be able to search for that file and you should be able to tell which process is creating it.

You may also want to run autoruns (also from sysinternals) to see if there are any weird looking entries.
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
This is a non-exhaustive list of mechanisms attackers often use for attacks on computers. See the sections Execution and Persistence and review those mechanisms for signs of compromise MITRE ATT&CK®
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
You may also want to look at the log file identified and see if there is a computed hash value <long-guid>.json
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
It's on the top left of the report posted in #10 above the second attachment.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
You need to find and open the log file, it's a text file
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
Found it
"originatingScriptMD5": "2C88159080937808C44452B59EF70AE8",
"originatingScriptSHA256": "89EA874E1753392482607A8C6429D6264D08BD2018A4074D2646FEDBDBE86EDB",
"resolvedPath": "C:\\Users\\sneek\\sYAYs.ps1",
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
"Neemobeer" No 'start up' programs that are unusual...I'm sorry I deleted the files out of quarantine. I'll have to wait until I get another one and if you'd still would like me to zip it and dm it I'd be happy to.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
No hits on some of the bigger IOC exchanges, so it's probably one of...
  • new malware
  • polymorphic
  • not malware
 

My Computer My Computer

At a glance

Linux Mint
OS
Linux Mint
Computer type
Laptop
Manufacturer/Model
System76 Lemur Pro
sneekez said:
"resolvedPath": "C:\\Users\\sneek\\
Click to expand...
I think that means the infiltration has managed to get itself elevated to Admin-level [something that is required for creating a folder within C:\Users].
Added a bit later - Sorry, it's only just clicked - sneek is your username.
If MB is not identifying a source of the action then what about running a Windows Defender, Offline scan?


Denis
 

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
Well just checked 3 laptops and another desktop, same os's, hardware almost identical same with software, clean, no infections. So at least I've got nailed down to which pc. Something had to have been dropped on me somehow. I'm certain another will follow today so I'll have to see if I can't get a handle on where it's from. I'll run an offline scan and see if something pops. Thank you Try3 and all!
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
Going to close the thread and update when and if I find out what it is. Thank you again.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11I7 Gen 816gbnVidia
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell I7 7773
    CPU
    I7 Gen 8
    Memory
    16gb
    Graphics Card(s)
    nVidia
    Sound Card
    Realtek
    Monitor(s) Displays
    17
    Screen Resolution
    1920x1080
    Hard Drives
    nvme m2 512gb
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and Malwarebytes

  • At a glance

    Windows 1111th gen i716 gbNvidia GeForce 1660 Super
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8940
    CPU
    11th gen i7
    Memory
    16 gb
    Graphics card(s)
    Nvidia GeForce 1660 Super
    Sound Card
    RealTek
    Monitor(s) Displays
    27" Samsung UHD
    Screen Resolution
    3840x2160 4k
    Hard Drives
    512 Samsung SSD plus one 2tb SSD
    PSU
    360 watt
    Case
    Dell
    Cooling
    Dell
    Mouse
    MS BT 5000
    Internet Speed
    400
    Browser
    Edge
    Antivirus
    Defender and MalwareBytes
You must log in or register to reply here.

Similar threads

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
122 123 124
Replies
2K
Views
189K
rsoyxihnark
rsoyxihnark
Solved Finding the UEFI's DBX SVN number using PowerShell
2 3 4
Replies
73
Views
10K
Ghot
Ghot
Why different PowerShell commands get different versions for the exact same file ??
Replies
5
Views
329
suatcini54
suatcini54
  • Article Article
PowerShell is now notarized and hardened for macOS
Replies
2
Views
107
PhilB
P
  • Article Article
PowerShell 7.7.0 preview 2 released for Windows 11
Replies
0
Views
72
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom